This policy explains how TrekTastes handles the personal data of Vendor Platform users, in compliance with the GDPR and the Dutch AVG. Data-processing roles for customer order data are set out in the separate Data Processing Agreement; customers are covered by the Customer Privacy Policy.
The “In short” notes are plain-language summaries for readability only — the full policy text below each summary is what applies.
1. Who we are
Arkstasis (eenmanszaak), Amsterdam, the Netherlands, KvK no. 42057592, operating the TrekTastes platform, is the controller for the personal data of Vendor Platform users described in this policy. Contact: privacy@trektastes.com.
2. What data we process
- Business and identity data: business name, VAT number, your name and role, contact details and address. For sole traders, much of this is personal data.
- Stripe onboarding status: Stripe collects your KYC and banking data directly under your own Stripe agreement (Stripe is an independent controller for that). We store your Stripe account identifier and verification status flags.
- Operational data: menus, prices, order history, payout summaries and event participation.
- Technical data: device information, IP address and app usage, for security and service improvement — processed on our own self-hosted EU infrastructure. No crash reports or usage analytics are sent to any third party today; if we introduce them, we will update this policy first.
3. Why we process it (purposes and legal bases)
We process your data on the following legal bases under GDPR art. 6:
- Operating your vendor account, listings and order queue — contract (art. 6(1)(b)).
- DAC7 seller reporting to the Belastingdienst and fiscal record-keeping — legal obligation (art. 6(1)(c)).
- Fraud prevention, platform security, dispute and chargeback handling, and food-safety incident handling — legitimate interests (art. 6(1)(f)).
- Product news and marketing to vendors — consent, or soft opt-in where permitted.
4. Who receives your data
- Stripe — payments; an independent controller for the KYC data you provide under your own Stripe agreement.
- Our hosting provider — the infrastructure on which our self-hosted platform runs.
- An off-site backup provider — receives only AES-256/GPG-encrypted artifacts.
- The Expo push-notification relay — transport only; notification payloads carry no message content.
- The Belastingdienst — the annual DAC7 report.
- Event organisers — the limited listing and participation data needed to run their event.
- Authorities — where we are legally required.
We do not sell your data.
5. International transfers
The only cross-border flows today are the Expo push relay (United States — transport only) and off-site backups to an external provider, which receive only AES-256/GPG-encrypted artifacts. For these we rely on an adequacy decision (e.g. the EU–US Data Privacy Framework for certified providers) or the European Commission's Standard Contractual Clauses. Everything else runs on our own self-hosted EU server.
6. How long we keep your data
We keep account and listing data for the duration of your account. Financial and DAC7-relevant records are retained for 10 years in line with Dutch fiscal retention obligations. Other categories are kept only as long as needed for the purpose they were collected for. You may request deletion at any time; statutory retention obligations may prevent full immediate deletion.
7. Your rights
Under GDPR you have the right to access, rectify, erase, restrict, port and object to the processing of your data, and to withdraw any consent at any time. To exercise your rights, contact privacy@trektastes.com. You may also lodge a complaint with the Dutch DPA, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
8. Security
We protect your data with encryption in transit and at rest for archived records, database role stratification (runtime roles cannot read credential or KYC columns), audit logging and encrypted off-site backups, per the technical and organisational measures in the Data Processing Agreement. You must keep your credentials confidential and tell us about any suspected unauthorised access.
9. Changes to this policy
We will announce material changes before they take effect and keep previous versions available on request.